1

This morning I dropped my LG G4 (android 6 Marshmallow) phone and shattered the display. I plan to buy a new shiny phone and sell the old one cheap.

I use Lastpass Premium to to store all my passwords,and since I´m a IT consultant I have hundreds of VPN and server logins stored. 2-factor authentication is not enabled neither for Lastpass master login or for the majority of the stored credentials so I really need to make sure that there is no way for an attacker to gain access to my vault.

What steps can I take to make sure my data is safe? As I understand each device with Lastpass keeps a cached copy. So even If I change my master password an attacker might be able to restore that file from the file system and, given he has full access to the phone, find the (old but still valid) password written to disk by some obscure driver deep down in Android.

If the risks involved by selling my old phone is deemed to high, I am willing to crush it with a hammer ( if that is secure enough will be a follow-up question :-)

Preemptive EDIT: I enabled 2-factor authentication for Lastpass master login.

EDIT: I will of course do a phone reset and wipe/remove files before I sell the phone.

EDIT2: I believe my question is not a duplicate because it is not made by Nexus (resetting procedure prob. different), Android version differs, and I am particularly concerned about Lastpass which is not mentioned in the other question.

David
  • 119
  • 3
  • You mean besides 'nuke it from orbit'? – LvB Jun 14 '16 at 11:57
  • precisely. (I had to google that expression) :) – David Jun 14 '16 at 11:59
  • @David.... if you're really *that* worried, then there's only one answer.... don't...sell..the..phone ! Either put it in the back of a cupboard and forget about it, or shred it at a secure facility. If you're an "IT consultant managing hundreds of VPNs", then I'm guessing your job is fairly well paid and you can afford to not sell the phone ! ;-) – Little Code Jun 14 '16 at 12:11
  • Well, If there is a way that I can sell my phone without jeopardizing my customers and my reputation I would be happy. And I'm not that rich even if I do admit it sounds like it when I mentioned "hundreds of VPNs and servers" :). I been working for so many small customers the last 10 years so it all adds up. – David Jun 14 '16 at 12:19
  • 2
    Did you enable offline access? Only in this case the encrypted storage will be safed on your device. – James Cameron Jun 14 '16 at 14:10
  • 2
    Sounds like a perfect question for the [Lastpass support forums](https://forums.lastpass.com/) –  Jun 14 '16 at 14:45
  • 1
    David - while the details between your question and the other one differ, the solution is definitely the same. You can google resetting options for your phone to see the exact details. This site generally doesn't provide support for specific models of phones. And definitely contact LP support. – Neil Smithline Jun 14 '16 at 16:04
  • This seems like an *"How to do this with my phone?"* question which may be more suitable on the StackExchange website dedicated to Android devices: [android.se]. – WhiteWinterWolf Jun 14 '16 at 16:42

1 Answers1

0

Another thing you can do is to remove it from "Trusted devices". You can achieve this with the following steps:

  1. Login to LastPass
  2. View your vault
  3. Click on Account Settings (near the bottom left of the screen)
  4. Click the third tab in the popup window named "Trusted Devices"
  5. Disable or Delete the broken phone
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
DomBat
  • 607
  • 1
  • 7
  • 13
  • Yes, but the question asks specifically about "a cashed copy" and the threat of restoring the password database. – techraf Jun 14 '16 at 12:52
  • That was one of the points, but "What steps can I take to make sure my data is safe" is general, so if the attacker knew the username and password then removing it as a trusted device would be useful. The comment would be useful to someone else in the future even if not for the question writer. – DomBat Jun 14 '16 at 13:03